Getting Slack with security

Been a while since I have posted up. The first 6 months of my new security role have been exciting with lots of learnings to share.

I thought id share the security slack channels we are using that help us as a team and promote a healthy engaging security culture.

#Suspicious_Activity

We created this channel as a way for employees to share anything that concerns them with the security team. Using slack for this over other ways of reporting issues also has the added benefit that other employees can also see these reports and be alerted too. Often we get multiple confirmations meaning we have a better list of people to talk to right away.

We can get reports ranging from strange behaviour on users machines, phishing / vishing attacks or issues with physical security. The key here is employees are welcome to report anything, nothing is considered too trivial.

They can be assured when they post they will get timely and supportive response back from the security team.

Best of all suspicious activity gives us the chance to give people praise for reporting issues and handling incidents in accordance with the security awareness training they did with us. We always sign off with 'Security is team sport, and your reports are helping everyone keep safe'.

Periodically I summarise events reported back to our general channel to provide a security awareness message and a concise reminder of what to do if employees experience the same kind of problems.

We do have other means to report issues (Phone, e-mail, a report an issue form) but so far this channel has been the way thats been the most engaging and rewarding for both our users and the security team.

#Vuln-Alarming (Vulnerability alerting)

I have a vulnerability alerting channel in which we have subscribed to all our cloud tool and vendor security RSS feeds (using /feed).

We have the security team, our SRE team and anyone else who is interested to see alerts from vendors and the vulnerability alerts updates provided by groups like US CERT.

Again multiple eyes on these feeds has been very positive. Typically the security team work with our SRE team by having a simple emoji voting system to signal the status of various updates that have been posted in this channel. 👀 for 'Im reading this update , ❗️for We have an issue we need to address and ✅ for Patching is done / No issue ' all clear '

If something warrants it we can briefly triage in channel or elect to have a chat / quick meeting.

We also pipe in alerts from the defnd.io tool we use made by @safestack . This provides us with vulnerability alerting on a huge range of cloud tools, and any changes to these cloud tools terms of service / policies we may want to be aware of. It also scans for domain names similar to those of which we own so we can be aware of potential phishing attacks launched from them much sooner.

#Security

We of course have a general security chat channel open to all. Mostly to discuss security news items which employees wish to share and discuss with others. The theme of multiple eyes on and shared learning continues here.

The very important tip I have to offer here is watching for articles posted or people giving out poor security advice and practises. I watch this channel closely for this and try in a non combative way to make contributions that put people on the right track.

Once such example of this was discussions around recent vulnerability disclosures in popular password managers and SMS 2FA authentication. While granted some the flaws exposed were quite glaring the discussion in channel created the impression especially for some of our less technical users that password managers and 2FA were broken or not effective an means of protecting their accounts.

We had to reaffirm that while nothing is perfect both password managers and 2FA are absolutely essential and highly effective measures to have in place for the type of threats that face the typical user in our company.

So moving on to some of the channels we use that are specific to the security team.

#Security_unplanned (Private Channel)

This is trick I picked up from our awesome SRE team. We have a private channel where members of the security team can quickly post comments outlining any unplanned work thats come up.

It can be user questions, requests or noting that something has not gone to plan and needed a bit extra work to get done.

We periodically review the channel history and create a summary of these items. It gives us insights as to what opportunities we have to build new run books or wiki articles, add training or generally automate something thats taking up our time.

Especially if its something thats a recurring need for our users we can build something to help the users help themselves.

#Security_alerting

Many of the tools we use can ship logs to a log store like Splunk or Sumologic which we can in turn have a slack bot alerting on events of interest to us.

Its still something of an experiment right now but so far it has been a real help to us. Again we hope to expand upon the quality of alerts by having it include the associate run books or useful links when an alert triggers.

#Incident_response (Private)

Each incident response has its own channel with a descriptive title that includes the date in the channel name.

Besides the obvious communication and transparency advantages for incident responders we also can use the timeline of the channel to help us construct our blameless post-mortems. Once the incident is resolved we can conduct our inital discussion and talk about our planned mitigations before we publish the post mortem to the wider business for review and feedback.

Its been very beneficial to retrospectively look at commonalities between incident responses of the same kind. Especially for say phishing attacks where we can start to look at who was targeted and how. We can use this information to help refine our security awareness messaging and training for our users. Give us ideas on improvements to the run books and incident response plans we maintain to deal with such an incident.

#Security team channel

Lastly a few things I wanted to share around our security teams channel which I think have been beneficial.

We share our teams mission and goals for the week in channel. This helps keep us focused on the results we want to achieve week to week but had the added benefit others can see what we are working on too.

Its great for engineering teams to see the upcoming penetration testing or gain visibility on security reviews we are conducting.

I have just started to at the months end quickly review the work we have completed and post up a summary of the security teams wins.

Its really positive to take a brief moment to celebrate the things we are achieving as a team. Successful incident responses, improvements to training and security awareness communications are the kinds of things we want to call out and be proud of.

Keen to hear some of the things you are all doing with slack to help your security efforts where you work. Hit me up on twitter and say hi @SparkleOps :)